MySQL and SSL on Ubuntu Precise 12.04

I’ve had a nightmare the last couple of days getting mysql replication setup over SSL. Turns out some things have changed since upgrading to Ubuntu 12.04 Precise. In the end, the solutions were simple.

First, the server-key.pem file needs to have RSA in the header. I manually edited the keys and added the RSA part, it worked, like so:

-----BEGIN RSA PRIVATE KEY-----

Second, I learned that certificates generated by openssl on Precise do not work with mysql on precise. To get around that issue, I generated my certs on an old 10.04 box and it worked fine. Prior to that, when trying to connect, I got the error:

ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

Finally, after two days of messing about, replication is once again running, and SSL enabled.

One thought on “MySQL and SSL on Ubuntu Precise 12.04”

  1. Hi,

    Certificates and keys generated with openssl 1.0 and newer (as available on Ubuntu 12.04) work fine if you remember to convert the RSA key from the newer PKCS #8 format (“BEGIN PRIVATE KEY”) to the PKCS #1 format (“BEGIN RSA PRIVATE KEY”) that older versions of openssl used.

    openssl rsa -in pkcs8_or_pkcs1_key.pem -out pkcs1_key_compatible_with_yassl.pem

    That should do the trick.

    Additionally, yaSSL doesn’t support certificates with SHA256 digests, something which will be a problem with Ubuntu 14.04 as its installation of openssl will generate such certificates by default. Use the -sha1 switch to openssl req and openssl x509 -req to fix this.

    I’ve posted the same details here, more or less:
    http://askubuntu.com/a/439274/262116

Leave a Reply

Your email address will not be published. Required fields are marked *